securemark 0.224.0 → 0.224.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/dist/securemark.js +100 -167
  3. package/package-lock.json +16 -16
  4. package/package.json +7 -7
  5. package/src/parser/inline/link.test.ts +26 -24
  6. package/src/parser/inline/link.ts +2 -2
  7. package/src/parser/inline/media.test.ts +25 -16
  8. package/src/parser/inline/media.ts +2 -2
package/CHANGELOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.224.1
4
+
5
+ - Refactoring.
6
+
3
7
  ## 0.224.0
4
8
 
5
9
  - Change media parser to disallow relative paths.
package/dist/securemark.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! securemark v0.224.0 https://github.com/falsandtru/securemark | (c) 2017, falsandtru | UNLICENSED */
1
+ /*! securemark v0.224.1 https://github.com/falsandtru/securemark | (c) 2017, falsandtru | UNLICENSED */
2
2
  require = function () {
3
3
  function r(e, n, t) {
4
4
  function o(i, f) {
@@ -215,21 +215,52 @@ require = function () {
215
215
  function (_dereq_, module, exports) {
216
216
  'use strict';
217
217
  Object.defineProperty(exports, '__esModule', { value: true });
218
- exports.aggregate = exports.bundle = void 0;
219
- function bundle(...as) {
218
+ exports.compile = exports.aggregate = exports.bundle = void 0;
219
+ const function_1 = _dereq_('./function');
220
+ function bundle(...fs) {
220
221
  return function (...bs) {
221
- return as.map((f, i) => f.call(this, bs[i]));
222
+ return fs.map((f, i) => f.call(this, bs[i]));
222
223
  };
223
224
  }
224
225
  exports.bundle = bundle;
225
- function aggregate(...as) {
226
- return function (b) {
227
- return as.map(f => f.call(this, b));
226
+ function aggregate(...fs) {
227
+ return function (a) {
228
+ return fs.map(f => f.call(this, a));
228
229
  };
229
230
  }
230
231
  exports.aggregate = aggregate;
232
+ function compile(...fs) {
233
+ return function (a) {
234
+ var _a;
235
+ const gs = [];
236
+ try {
237
+ for (let i = 0; i < fs.length; ++i) {
238
+ gs.push(fs[i].call(this, a));
239
+ }
240
+ return (0, function_1.singleton)(() => cancel(gs));
241
+ } catch (reason) {
242
+ cancel(gs);
243
+ throw new Error(`Spica: Arrow: ${ (_a = reason === null || reason === void 0 ? void 0 : reason.toString()) !== null && _a !== void 0 ? _a : reason }`);
244
+ }
245
+ };
246
+ }
247
+ exports.compile = compile;
248
+ function cancel(cancellers) {
249
+ const reasons = [];
250
+ for (let i = 0; i < cancellers.length; ++i) {
251
+ try {
252
+ cancellers[i]();
253
+ } catch (reason) {
254
+ reasons.push(reason);
255
+ }
256
+ }
257
+ if (reasons.length > 0) {
258
+ throw new AggregateError(reasons);
259
+ }
260
+ return;
261
+ }
231
262
  },
232
- {}
263
+ { './function': 16 }
233
264
  ],
234
265
  8: [
235
266
  function (_dereq_, module, exports) {
@@ -835,7 +866,7 @@ require = function () {
835
866
  exports.uncurry = uncurry;
836
867
  function uncurry_(f) {
837
868
  const arity = f.length;
838
- return (...xs) => arity === 0 || xs.length < 2 || xs.length <= arity ? f(...xs) : uncurry_(f(...(0, array_1.shift)(xs, arity)[0]))(...xs);
869
+ return (...xs) => arity === 0 || xs.length <= arity ? f(...xs) : uncurry_(f(...(0, array_1.shift)(xs, arity)[0]))(...xs);
839
870
  }
840
871
  },
841
872
  { './array': 6 }
@@ -869,9 +900,7 @@ require = function () {
869
900
  function (_dereq_, module, exports) {
870
901
  'use strict';
871
902
  Object.defineProperty(exports, '__esModule', { value: true });
872
- exports.run = exports.clear = exports.mapReturn = exports.mapParameters = exports.singleton = void 0;
873
- const global_1 = _dereq_('./global');
874
- const exception_1 = _dereq_('./exception');
903
+ exports.clear = exports.singleton = void 0;
875
904
  const noop_1 = _dereq_('./noop');
876
905
  function singleton(f) {
877
906
  let result;
@@ -884,55 +913,12 @@ require = function () {
884
913
  };
885
914
  }
886
915
  exports.singleton = singleton;
887
- function mapParameters(f, g) {
888
- return (...as) => f(...g(...as));
889
- }
890
- exports.mapParameters = mapParameters;
891
- function mapReturn(f, g) {
892
- return (...as) => g(f(...as));
893
- }
894
- exports.mapReturn = mapReturn;
895
916
  function clear(f) {
896
917
  return (...as) => void f(...as);
897
918
  }
898
919
  exports.clear = clear;
899
- function run(fs) {
900
- const gs = (0, global_1.Array)(fs.length);
901
- try {
902
- for (let i = 0; i < fs.length; ++i) {
903
- gs[i] = fs[i]();
904
- }
905
- } catch (reason) {
906
- for (let i = 0; gs[i]; ++i) {
907
- try {
908
- gs[i]();
909
- } catch (reason) {
910
- (0, exception_1.causeAsyncException)(reason);
911
- }
912
- }
913
- throw reason;
914
- }
915
- return singleton(() => {
916
- const rs = [];
917
- for (let i = 0; gs[i]; ++i) {
918
- try {
919
- gs[i]();
920
- } catch (reason) {
921
- rs.push(reason);
922
- }
923
- }
924
- if (rs.length > 0) {
925
- throw new AggregateError(rs);
926
- }
927
- });
928
- }
929
- exports.run = run;
930
920
  },
931
- {
932
- './exception': 14,
933
- './global': 17,
934
- './noop': 22
935
- }
921
+ { './noop': 22 }
936
922
  ],
937
923
  17: [
938
924
  function (_dereq_, module, exports) {
@@ -2165,7 +2151,7 @@ require = function () {
2165
2151
  }
2166
2152
  exports.join = join;
2167
2153
  },
2168
- { './global': 9 }
2154
+ { './global': 8 }
2169
2155
  ],
2170
2156
  6: [
2171
2157
  function (_dereq_, module, exports) {
@@ -2183,21 +2169,7 @@ require = function () {
2183
2169
  function (_dereq_, module, exports) {
2184
2170
  'use strict';
2185
2171
  Object.defineProperty(exports, '__esModule', { value: true });
2186
- exports.causeAsyncException = void 0;
2187
- function causeAsyncException(reason) {
2188
- void Promise.reject(reason);
2189
- }
2190
- exports.causeAsyncException = causeAsyncException;
2191
- },
2192
- {}
2193
- ],
2194
- 8: [
2195
- function (_dereq_, module, exports) {
2196
- 'use strict';
2197
- Object.defineProperty(exports, '__esModule', { value: true });
2198
- exports.run = exports.clear = exports.mapReturn = exports.mapParameters = exports.singleton = void 0;
2199
- const global_1 = _dereq_('./global');
2200
- const exception_1 = _dereq_('./exception');
2172
+ exports.clear = exports.singleton = void 0;
2201
2173
  const noop_1 = _dereq_('./noop');
2202
2174
  function singleton(f) {
2203
2175
  let result;
@@ -2210,57 +2182,14 @@ require = function () {
2210
2182
  };
2211
2183
  }
2212
2184
  exports.singleton = singleton;
2213
- function mapParameters(f, g) {
2214
- return (...as) => f(...g(...as));
2215
- }
2216
- exports.mapParameters = mapParameters;
2217
- function mapReturn(f, g) {
2218
- return (...as) => g(f(...as));
2219
- }
2220
- exports.mapReturn = mapReturn;
2221
2185
  function clear(f) {
2222
2186
  return (...as) => void f(...as);
2223
2187
  }
2224
2188
  exports.clear = clear;
2225
- function run(fs) {
2226
- const gs = (0, global_1.Array)(fs.length);
2227
- try {
2228
- for (let i = 0; i < fs.length; ++i) {
2229
- gs[i] = fs[i]();
2230
- }
2231
- } catch (reason) {
2232
- for (let i = 0; gs[i]; ++i) {
2233
- try {
2234
- gs[i]();
2235
- } catch (reason) {
2236
- (0, exception_1.causeAsyncException)(reason);
2237
- }
2238
- }
2239
- throw reason;
2240
- }
2241
- return singleton(() => {
2242
- const rs = [];
2243
- for (let i = 0; gs[i]; ++i) {
2244
- try {
2245
- gs[i]();
2246
- } catch (reason) {
2247
- rs.push(reason);
2248
- }
2249
- }
2250
- if (rs.length > 0) {
2251
- throw new AggregateError(rs);
2252
- }
2253
- });
2254
- }
2255
- exports.run = run;
2256
2189
  },
2257
- {
2258
- './exception': 7,
2259
- './global': 9,
2260
- './noop': 11
2261
- }
2190
+ { './noop': 10 }
2262
2191
  ],
2263
- 9: [
2192
+ 8: [
2264
2193
  function (_dereq_, module, exports) {
2265
2194
  'use strict';
2266
2195
  const global = void 0 || typeof globalThis !== 'undefined' && globalThis || typeof self !== 'undefined' && self || Function('return this')();
@@ -2269,7 +2198,7 @@ require = function () {
2269
2198
  },
2270
2199
  {}
2271
2200
  ],
2272
- 10: [
2201
+ 9: [
2273
2202
  function (_dereq_, module, exports) {
2274
2203
  'use strict';
2275
2204
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -2310,10 +2239,10 @@ require = function () {
2310
2239
  },
2311
2240
  {
2312
2241
  './compare': 6,
2313
- './global': 9
2242
+ './global': 8
2314
2243
  }
2315
2244
  ],
2316
- 11: [
2245
+ 10: [
2317
2246
  function (_dereq_, module, exports) {
2318
2247
  'use strict';
2319
2248
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -2324,7 +2253,7 @@ require = function () {
2324
2253
  },
2325
2254
  {}
2326
2255
  ],
2327
- 12: [
2256
+ 11: [
2328
2257
  function (_dereq_, module, exports) {
2329
2258
  'use strict';
2330
2259
  var _a, _b;
@@ -2671,11 +2600,11 @@ require = function () {
2671
2600
  },
2672
2601
  {
2673
2602
  './alias': 4,
2674
- './global': 9,
2675
- './noop': 11
2603
+ './global': 8,
2604
+ './noop': 10
2676
2605
  }
2677
2606
  ],
2678
- 13: [
2607
+ 12: [
2679
2608
  function (_dereq_, module, exports) {
2680
2609
  'use strict';
2681
2610
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -2757,9 +2686,9 @@ require = function () {
2757
2686
  }
2758
2687
  }
2759
2688
  },
2760
- { './global': 9 }
2689
+ { './global': 8 }
2761
2690
  ],
2762
- 14: [
2691
+ 13: [
2763
2692
  function (_dereq_, module, exports) {
2764
2693
  'use strict';
2765
2694
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -2812,12 +2741,12 @@ require = function () {
2812
2741
  }
2813
2742
  },
2814
2743
  {
2815
- './proxy': 15,
2816
- './util/dom': 16,
2744
+ './proxy': 14,
2745
+ './util/dom': 15,
2817
2746
  'spica/alias': 4
2818
2747
  }
2819
2748
  ],
2820
- 15: [
2749
+ 14: [
2821
2750
  function (_dereq_, module, exports) {
2822
2751
  'use strict';
2823
2752
  var _a, _b, _c, _d;
@@ -3121,14 +3050,14 @@ require = function () {
3121
3050
  }
3122
3051
  },
3123
3052
  {
3124
- './util/dom': 16,
3125
- './util/identity': 17,
3053
+ './util/dom': 15,
3054
+ './util/identity': 16,
3126
3055
  'spica/alias': 4,
3127
3056
  'spica/array': 5,
3128
- 'spica/global': 9
3057
+ 'spica/global': 8
3129
3058
  }
3130
3059
  ],
3131
- 16: [
3060
+ 15: [
3132
3061
  function (_dereq_, module, exports) {
3133
3062
  'use strict';
3134
3063
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -3196,18 +3125,22 @@ require = function () {
3196
3125
  case 'function':
3197
3126
  if (name.length < 3)
3198
3127
  throw new Error(`TypedDOM: Attribute names for event listeners must have an event name but got "${ name }".`);
3199
- if (name.slice(0, 2) !== 'on')
3200
- throw new Error(`TypedDOM: Attribute names for event listeners must start with "on" but got "${ name }".`);
3201
- el.addEventListener(name.slice(2), value, {
3202
- passive: [
3203
- 'wheel',
3204
- 'mousewheel',
3205
- 'touchstart',
3206
- 'touchmove',
3207
- 'touchend',
3208
- 'touchcancel'
3209
- ].includes(name.slice(2))
3210
- });
3128
+ const names = name.split(/\s+/);
3129
+ for (let i = 0; i < names.length; ++i) {
3130
+ const name = names[i];
3131
+ if (name.slice(0, 2) !== 'on')
3132
+ throw new Error(`TypedDOM: Attribute names for event listeners must start with "on" but got "${ name }".`);
3133
+ el.addEventListener(name.slice(2), value, {
3134
+ passive: [
3135
+ 'wheel',
3136
+ 'mousewheel',
3137
+ 'touchstart',
3138
+ 'touchmove',
3139
+ 'touchend',
3140
+ 'touchcancel'
3141
+ ].includes(name.slice(2))
3142
+ });
3143
+ }
3211
3144
  continue;
3212
3145
  case 'object':
3213
3146
  el.removeAttribute(name);
@@ -3242,11 +3175,11 @@ require = function () {
3242
3175
  },
3243
3176
  {
3244
3177
  'spica/alias': 4,
3245
- 'spica/global': 9,
3246
- 'spica/memoize': 10
3178
+ 'spica/global': 8,
3179
+ 'spica/memoize': 9
3247
3180
  }
3248
3181
  ],
3249
- 17: [
3182
+ 16: [
3250
3183
  function (_dereq_, module, exports) {
3251
3184
  'use strict';
3252
3185
  var _a;
@@ -3258,11 +3191,11 @@ require = function () {
3258
3191
  exports.identity = (0, random_1.unique)(random_1.rnd0Z, 2, (_a = global_1.global[ids]) !== null && _a !== void 0 ? _a : global_1.global[ids] = new global_1.Set());
3259
3192
  },
3260
3193
  {
3261
- 'spica/global': 9,
3262
- 'spica/random': 13
3194
+ 'spica/global': 8,
3195
+ 'spica/random': 12
3263
3196
  }
3264
3197
  ],
3265
- 18: [
3198
+ 17: [
3266
3199
  function (_dereq_, module, exports) {
3267
3200
  'use strict';
3268
3201
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -3313,12 +3246,12 @@ require = function () {
3313
3246
  exports.bind = bind;
3314
3247
  },
3315
3248
  {
3316
- 'spica/function': 8,
3317
- 'spica/noop': 11,
3318
- 'spica/promise': 12
3249
+ 'spica/function': 7,
3250
+ 'spica/noop': 10,
3251
+ 'spica/promise': 11
3319
3252
  }
3320
3253
  ],
3321
- 19: [
3254
+ 18: [
3322
3255
  function (_dereq_, module, exports) {
3323
3256
  'use strict';
3324
3257
  Object.defineProperty(exports, '__esModule', { value: true });
@@ -3333,7 +3266,7 @@ require = function () {
3333
3266
  }
3334
3267
  exports.apply = apply;
3335
3268
  },
3336
- { './dom': 16 }
3269
+ { './dom': 15 }
3337
3270
  ],
3338
3271
  'typed-dom': [
3339
3272
  function (_dereq_, module, exports) {
@@ -3475,13 +3408,13 @@ require = function () {
3475
3408
  });
3476
3409
  },
3477
3410
  {
3478
- './src/builder': 14,
3479
- './src/proxy': 15,
3480
- './src/util/dom': 16,
3481
- './src/util/identity': 17,
3482
- './src/util/listener': 18,
3483
- './src/util/query': 19,
3484
- 'spica/global': 9
3411
+ './src/builder': 13,
3412
+ './src/proxy': 14,
3413
+ './src/util/dom': 15,
3414
+ './src/util/identity': 16,
3415
+ './src/util/listener': 17,
3416
+ './src/util/query': 18,
3417
+ 'spica/global': 8
3485
3418
  }
3486
3419
  ]
3487
3420
  }, {}, [
@@ -7735,9 +7668,9 @@ require = function () {
7735
7668
  switch (uri.protocol) {
7736
7669
  case 'http:':
7737
7670
  case 'https:':
7738
- if (INSECURE_URI.slice(0, 2) === '^/' && /(?:\/\.\.?)(?:\/|$)/.test(INSECURE_URI.slice(0, INSECURE_URI.search(/[?#]|$/)))) {
7671
+ if (INSECURE_URI.slice(0, 2) === '^/' && /\/\.\.?(?:\/|$)/.test(INSECURE_URI.slice(0, INSECURE_URI.search(/[?#]|$/)))) {
7739
7672
  type = 'argument';
7740
- description = 'Subresource paths cannot contain dot-segments.';
7673
+ description = 'Dot-segments cannot be used in subresource paths.';
7741
7674
  break;
7742
7675
  }
7743
7676
  return (0, typed_dom_1.html)('a', {
@@ -7970,12 +7903,12 @@ require = function () {
7970
7903
  link_1.option
7971
7904
  ]);
7972
7905
  function sanitize(uri, target) {
7973
- if (/^\.\.?\//.test(uri.source)) {
7906
+ if (/\/\.\.?(?:\/|$)/.test('/' + uri.source.slice(0, uri.source.search(/[?#]|$/)))) {
7974
7907
  (0, typed_dom_1.define)(target, {
7975
7908
  class: void target.classList.add('invalid'),
7976
7909
  'data-invalid-syntax': 'media',
7977
7910
  'data-invalid-type': 'argument',
7978
- 'data-invalid-description': 'Relative paths cannot be used with media syntax; Use subresource paths instead.'
7911
+ 'data-invalid-description': 'Dot-segments cannot be used in media paths; use subresource paths instead.'
7979
7912
  });
7980
7913
  return false;
7981
7914
  }
package/package-lock.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "securemark",
3
- "version": "0.224.0",
3
+ "version": "0.224.1",
4
4
  "lockfileVersion": 1,
5
5
  "requires": true,
6
6
  "dependencies": {
@@ -522,9 +522,9 @@
522
522
  "dev": true
523
523
  },
524
524
  "@types/dompurify": {
525
- "version": "2.3.1",
526
- "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-2.3.1.tgz",
527
- "integrity": "sha512-YJth9qa0V/E6/XPH1Jq4BC8uCMmO8V1fKWn8PCvuZcAhMn7q0ez9LW6naQT04UZzjFfAPhyRMZmI2a2rbMlEFA==",
525
+ "version": "2.3.2",
526
+ "resolved": "https://registry.npmjs.org/@types/dompurify/-/dompurify-2.3.2.tgz",
527
+ "integrity": "sha512-iht/O0jie/hDur39Z1NzjfOT/O9Kn2aWY99aqOn7lwsjSttEoMyGWvZIuAzZy0cNvAZdjmqySp7Z4d3GfBEGQw==",
528
528
  "dev": true,
529
529
  "requires": {
530
530
  "@types/trusted-types": "*"
@@ -547,9 +547,9 @@
547
547
  "dev": true
548
548
  },
549
549
  "@types/jquery": {
550
- "version": "3.5.9",
551
- "resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-3.5.9.tgz",
552
- "integrity": "sha512-B8pDk+sH/tSv/HKdx6EQER6BfUOb2GtKs0LOmozziS4h7cbe8u/eYySfUAeTwD+J09SqV3man7AMWIA5mgzCBA==",
550
+ "version": "3.5.10",
551
+ "resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-3.5.10.tgz",
552
+ "integrity": "sha512-w2qT5DFikh5TXrW/aOaCvCP8g2MMAfPXo3oeHR9v7dRuAZhu38PUWEkYrL4e9VRTcgZE4yER21AHndgpq2QPTQ==",
553
553
  "dev": true,
554
554
  "requires": {
555
555
  "@types/sizzle": "*"
@@ -9449,9 +9449,9 @@
9449
9449
  "dev": true
9450
9450
  },
9451
9451
  "spica": {
9452
- "version": "0.0.492",
9453
- "resolved": "https://registry.npmjs.org/spica/-/spica-0.0.492.tgz",
9454
- "integrity": "sha512-RRkarcCp/GzdExxZKSgPBMcMMhypt77A4vFunI57yKZ84VF+Wx35kDGhZC09vcDWPMDaCOPVWbEBYCfciEYQCw==",
9452
+ "version": "0.0.494",
9453
+ "resolved": "https://registry.npmjs.org/spica/-/spica-0.0.494.tgz",
9454
+ "integrity": "sha512-QWdBjWGvCfHocwx2RDurOhhDDxs/HfRP33eLRVFoJCWx0UYS12NZhVZfCgD5NosuiOrZrwsIZ1/ppNXxEMlNaQ==",
9455
9455
  "dev": true
9456
9456
  },
9457
9457
  "split-string": {
@@ -10024,9 +10024,9 @@
10024
10024
  "dev": true
10025
10025
  },
10026
10026
  "typed-dom": {
10027
- "version": "0.0.247",
10028
- "resolved": "https://registry.npmjs.org/typed-dom/-/typed-dom-0.0.247.tgz",
10029
- "integrity": "sha512-EmFFA1Ymmu8P+VX6scMr/vp2zbQKbjdmnW00jyoWMofr/eDPtdAQGU/SeyXbF3GYOWAml0fl3WXYCUe+G0gkew==",
10027
+ "version": "0.0.248",
10028
+ "resolved": "https://registry.npmjs.org/typed-dom/-/typed-dom-0.0.248.tgz",
10029
+ "integrity": "sha512-iwOQlPwma7lQipzbsG6wkc0Z8lM2L0pApdRLe8k4/oVPEIT4y5TWyZb+NB14lcXWqL90Hph0dTASuJL/SB31fg==",
10030
10030
  "dev": true
10031
10031
  },
10032
10032
  "typedarray": {
@@ -10045,9 +10045,9 @@
10045
10045
  }
10046
10046
  },
10047
10047
  "typescript": {
10048
- "version": "4.5.2",
10049
- "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.5.2.tgz",
10050
- "integrity": "sha512-5BlMof9H1yGt0P8/WF+wPNw6GfctgGjXp5hkblpyT+8rkASSmkUKMXrxR0Xg8ThVCi/JnHQiKXeBaEwCeQwMFw==",
10048
+ "version": "4.5.3",
10049
+ "resolved": "https://registry.npmjs.org/typescript/-/typescript-4.5.3.tgz",
10050
+ "integrity": "sha512-eVYaEHALSt+s9LbvgEv4Ef+Tdq7hBiIZgii12xXJnukryt3pMgJf6aKhoCZ3FWQsu6sydEnkg11fYXLzhLBjeQ==",
10051
10051
  "dev": true
10052
10052
  },
10053
10053
  "ua-parser-js": {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "securemark",
3
- "version": "0.224.0",
3
+ "version": "0.224.1",
4
4
  "description": "Secure markdown renderer working on browsers for user input data.",
5
5
  "private": false,
6
6
  "homepage": "https://github.com/falsandtru/securemark",
@@ -30,8 +30,8 @@
30
30
  "dompurify": "global:DOMPurify"
31
31
  },
32
32
  "devDependencies": {
33
- "@types/dompurify": "2.3.1",
34
- "@types/jquery": "3.5.9",
33
+ "@types/dompurify": "2.3.2",
34
+ "@types/jquery": "3.5.10",
35
35
  "@types/mathjax": "0.0.37",
36
36
  "@types/mocha": "9.0.0",
37
37
  "@types/power-assert": "1.5.8",
@@ -56,13 +56,13 @@
56
56
  "karma-firefox-launcher": "^2.1.2",
57
57
  "karma-mocha": "^2.0.1",
58
58
  "mocha": "^9.1.3",
59
- "npm-check-updates": "^12.0.2",
59
+ "npm-check-updates": "^12.0.3",
60
60
  "power-assert": "^1.6.1",
61
61
  "semver": "^7.3.5",
62
- "spica": "0.0.492",
62
+ "spica": "0.0.494",
63
63
  "tsify": "^5.0.4",
64
- "typed-dom": "0.0.247",
65
- "typescript": "4.5.2",
64
+ "typed-dom": "0.0.248",
65
+ "typescript": "4.5.3",
66
66
  "vinyl-buffer": "^1.0.1",
67
67
  "vinyl-source-stream": "^2.0.0"
68
68
  },
package/src/parser/inline/link.test.ts CHANGED
@@ -51,31 +51,40 @@ describe('Unit: parser/inline/link', () => {
51
51
  assert.deepStrictEqual(inspect(parser('[]{ }')), undefined);
52
52
  assert.deepStrictEqual(inspect(parser('[]{ }')), undefined);
53
53
  assert.deepStrictEqual(inspect(parser('[]{{}')), undefined);
54
- assert.deepStrictEqual(inspect(parser('[]{{a}}')), undefined);
55
- assert.deepStrictEqual(inspect(parser('[]{a\nb}')), undefined);
56
- assert.deepStrictEqual(inspect(parser('[]{a\\\nb}')), undefined);
57
- assert.deepStrictEqual(inspect(parser('[]{ a}')), undefined);
58
- assert.deepStrictEqual(inspect(parser('[]{ a\n}')), undefined);
54
+ assert.deepStrictEqual(inspect(parser('[]{{b}}')), undefined);
55
+ assert.deepStrictEqual(inspect(parser('[]{b\nb}')), undefined);
56
+ assert.deepStrictEqual(inspect(parser('[]{b\\\nb}')), undefined);
57
+ assert.deepStrictEqual(inspect(parser('[]{ b}')), undefined);
58
+ assert.deepStrictEqual(inspect(parser('[]{ b\n}')), undefined);
59
59
  assert.deepStrictEqual(inspect(parser('[ ]{}')), undefined);
60
60
  assert.deepStrictEqual(inspect(parser('[ ]{ }')), undefined);
61
- assert.deepStrictEqual(inspect(parser('[ ]{a}')), undefined);
62
- assert.deepStrictEqual(inspect(parser('[ ]{a}')), undefined);
63
- assert.deepStrictEqual(inspect(parser('[\n]{}')), undefined);
64
- assert.deepStrictEqual(inspect(parser('[\\ ]{}')), undefined);
65
- assert.deepStrictEqual(inspect(parser('[\\\n]{}')), undefined);
66
- assert.deepStrictEqual(inspect(parser('[[]{}')), undefined);
67
- assert.deepStrictEqual(inspect(parser('[]]{}')), undefined);
61
+ assert.deepStrictEqual(inspect(parser('[ ]{b}')), undefined);
62
+ assert.deepStrictEqual(inspect(parser('[ ]{b}')), undefined);
63
+ assert.deepStrictEqual(inspect(parser('[\n]{b}')), undefined);
64
+ assert.deepStrictEqual(inspect(parser('[\\ ]{b}')), undefined);
65
+ assert.deepStrictEqual(inspect(parser('[\\\n]{b}')), undefined);
66
+ assert.deepStrictEqual(inspect(parser('[&Tab;]{b}')), undefined);
67
+ assert.deepStrictEqual(inspect(parser('[[]{b}')), undefined);
68
+ assert.deepStrictEqual(inspect(parser('[]]{b}')), undefined);
68
69
  assert.deepStrictEqual(inspect(parser('[a]{}')), undefined);
69
- assert.deepStrictEqual(inspect(parser('[a\nb]{#}')), undefined);
70
- assert.deepStrictEqual(inspect(parser('[a\\\nb]{#}')), undefined);
71
- assert.deepStrictEqual(inspect(parser('[<wbr>]{/}')), undefined);
72
- assert.deepStrictEqual(inspect(parser('[[# a #]]{#}')), undefined);
70
+ assert.deepStrictEqual(inspect(parser('[\\ a]{b}')), undefined);
71
+ assert.deepStrictEqual(inspect(parser('[ \\ a]{b}')), undefined);
72
+ assert.deepStrictEqual(inspect(parser('[a\nb]{b}')), undefined);
73
+ assert.deepStrictEqual(inspect(parser('[a\\\nb]{b}')), undefined);
74
+ assert.deepStrictEqual(inspect(parser('[<wbr>]{b}')), undefined);
75
+ assert.deepStrictEqual(inspect(parser('[[# a #]]{b}')), undefined);
73
76
  assert.deepStrictEqual(inspect(parser('[*a\nb*]{/}')), undefined);
74
77
  assert.deepStrictEqual(inspect(parser('[http://host]{http://host}')), undefined);
75
78
  assert.deepStrictEqual(inspect(parser('[]{ttp://host}')), [['<a class="invalid">ttp://host</a>'], '']);
76
79
  //assert.deepStrictEqual(inspect(parser('[]{http://[::ffff:0:0%1]}')), [['<a class="invalid">http://[::ffff:0:0%1]</a>'], '']);
77
80
  //assert.deepStrictEqual(inspect(parser('[]{http://[::ffff:0:0/96]}')), [['<a class="invalid">http://[::ffff:0:0/96]</a>'], '']);
78
- assert.deepStrictEqual(inspect(parser(' []{a}')), undefined);
81
+ assert.deepStrictEqual(inspect(parser('[]{^/.}')), [[`<a class="invalid">^/.</a>`], '']);
82
+ assert.deepStrictEqual(inspect(parser('[]{^/..}')), [[`<a class="invalid">^/..</a>`], '']);
83
+ assert.deepStrictEqual(inspect(parser('[]{^/../}')), [[`<a class="invalid">^/../</a>`], '']);
84
+ assert.deepStrictEqual(inspect(parser('[]{^/../..}')), [[`<a class="invalid">^/../..</a>`], '']);
85
+ assert.deepStrictEqual(inspect(parser('[]{^/../b}')), [[`<a class="invalid">^/../b</a>`], '']);
86
+ assert.deepStrictEqual(inspect(parser('[]{^/../b/..}')), [[`<a class="invalid">^/../b/..</a>`], '']);
87
+ assert.deepStrictEqual(inspect(parser(' []{b}')), undefined);
79
88
  assert.deepStrictEqual(inspect(parser('![]{/}')), undefined);
80
89
  });
81
90
 
@@ -94,13 +103,6 @@ describe('Unit: parser/inline/link', () => {
94
103
  assert.deepStrictEqual(inspect(parser('[]{#b}')), [['<a href="#b">#b</a>'], '']);
95
104
  assert.deepStrictEqual(inspect(parser('[]{./b}')), [['<a href="./b">./b</a>'], '']);
96
105
  assert.deepStrictEqual(inspect(parser('[]{^/b}')), [[`<a href="/b">^/b</a>`], '']);
97
- assert.deepStrictEqual(inspect(parser('[]{^/b/.}')), [[`<a class="invalid">^/b/.</a>`], '']);
98
- assert.deepStrictEqual(inspect(parser('[]{^/b/./}')), [[`<a class="invalid">^/b/./</a>`], '']);
99
- assert.deepStrictEqual(inspect(parser('[]{^/b/..}')), [[`<a class="invalid">^/b/..</a>`], '']);
100
- assert.deepStrictEqual(inspect(parser('[]{^/b/../}')), [[`<a class="invalid">^/b/../</a>`], '']);
101
- assert.deepStrictEqual(inspect(parser('[]{^/b/../..}')), [[`<a class="invalid">^/b/../..</a>`], '']);
102
- assert.deepStrictEqual(inspect(parser('[]{^/b/../c}')), [[`<a class="invalid">^/b/../c</a>`], '']);
103
- assert.deepStrictEqual(inspect(parser('[]{^/b/../c/..}')), [[`<a class="invalid">^/b/../c/..</a>`], '']);
104
106
  assert.deepStrictEqual(inspect(parser('[]{^/b?/../}')), [[`<a href="/b?/../">^/b?/../</a>`], '']);
105
107
  assert.deepStrictEqual(inspect(parser('[]{^/b#/../}')), [[`<a href="/b#/../">^/b#/../</a>`], '']);
106
108
  assert.deepStrictEqual(inspect(parser('[]{^/b}', { host: new URL('/dir', location.origin) })), [[`<a href="/dir/b">^/b</a>`], '']);
package/src/parser/inline/link.ts CHANGED
@@ -111,9 +111,9 @@ function create(
111
111
  case 'https:':
112
112
  assert(uri.host);
113
113
  if (INSECURE_URI.slice(0, 2) === '^/' &&
114
- /(?:\/\.\.?)(?:\/|$)/.test(INSECURE_URI.slice(0, INSECURE_URI.search(/[?#]|$/)))) {
114
+ /\/\.\.?(?:\/|$)/.test(INSECURE_URI.slice(0, INSECURE_URI.search(/[?#]|$/)))) {
115
115
  type = 'argument';
116
- description = 'Subresource paths cannot contain dot-segments.';
116
+ description = 'Dot-segments cannot be used in subresource paths.';
117
117
  break;
118
118
  }
119
119
  return html('a',
package/src/parser/inline/media.test.ts CHANGED
@@ -29,27 +29,34 @@ describe('Unit: parser/inline/media', () => {
29
29
  assert.deepStrictEqual(inspect(parser('![]{ }')), undefined);
30
30
  assert.deepStrictEqual(inspect(parser('![]]{/}')), undefined);
31
31
  assert.deepStrictEqual(inspect(parser('![]{{}')), undefined);
32
- assert.deepStrictEqual(inspect(parser('![]{{a}}')), undefined);
33
- assert.deepStrictEqual(inspect(parser('![]{a\nb}')), undefined);
34
- assert.deepStrictEqual(inspect(parser('![]{a\\\nb}')), undefined);
35
- assert.deepStrictEqual(inspect(parser('![]{ a}')), undefined);
36
- assert.deepStrictEqual(inspect(parser('![]{ a\n}')), undefined);
37
- assert.deepStrictEqual(inspect(parser('![ ]{#}')), undefined);
38
- assert.deepStrictEqual(inspect(parser('![ ]{#}')), undefined);
39
- assert.deepStrictEqual(inspect(parser('![\\ ]{#}')), undefined);
40
- assert.deepStrictEqual(inspect(parser('![&Tab;]{#}')), undefined);
32
+ assert.deepStrictEqual(inspect(parser('![]{{b}}')), undefined);
33
+ assert.deepStrictEqual(inspect(parser('![]{b\nc}')), undefined);
34
+ assert.deepStrictEqual(inspect(parser('![]{a\\\nc}')), undefined);
35
+ assert.deepStrictEqual(inspect(parser('![]{ b}')), undefined);
36
+ assert.deepStrictEqual(inspect(parser('![]{ b\n}')), undefined);
37
+ assert.deepStrictEqual(inspect(parser('![ ]{}')), undefined);
38
+ assert.deepStrictEqual(inspect(parser('![ ]{b}')), undefined);
39
+ assert.deepStrictEqual(inspect(parser('![ ]{b}')), undefined);
40
+ assert.deepStrictEqual(inspect(parser('![\n]{b}')), undefined);
41
+ assert.deepStrictEqual(inspect(parser('![\\ ]{b}')), undefined);
42
+ assert.deepStrictEqual(inspect(parser('![\\\n]{b}')), undefined);
43
+ assert.deepStrictEqual(inspect(parser('![&Tab;]{b}')), undefined);
44
+ assert.deepStrictEqual(inspect(parser('![[]{b}')), undefined);
45
+ assert.deepStrictEqual(inspect(parser('![]]{b}')), undefined);
41
46
  assert.deepStrictEqual(inspect(parser('![a]{}')), undefined);
42
- assert.deepStrictEqual(inspect(parser('![\\ a ]{#}')), undefined);
43
- assert.deepStrictEqual(inspect(parser('![ \\ a ]{#}')), undefined);
44
- assert.deepStrictEqual(inspect(parser('![a\nb]{#}')), undefined);
45
- assert.deepStrictEqual(inspect(parser('![a\\\nb]{#}')), undefined);
47
+ assert.deepStrictEqual(inspect(parser('![\\ a ]{b}')), undefined);
48
+ assert.deepStrictEqual(inspect(parser('![ \\ a ]{b}')), undefined);
49
+ assert.deepStrictEqual(inspect(parser('![a\nb]{b}')), undefined);
50
+ assert.deepStrictEqual(inspect(parser('![a\\\nb]{b}')), undefined);
46
51
  assert.deepStrictEqual(inspect(parser('![]{ttp://host}')), [['<img class="media invalid" data-src="ttp://host" alt="">'], '']);
47
52
  assert.deepStrictEqual(inspect(parser('![]{tel:1234567890}')), [['<img class="media invalid" data-src="tel:1234567890" alt="">'], '']);
48
53
  //assert.deepStrictEqual(inspect(parser('![]{http://[::ffff:0:0%1]}')), [['<img class="media invalid" alt="">'], '']);
49
54
  //assert.deepStrictEqual(inspect(parser('![]{http://[::ffff:0:0/96]}')), [['<img class="media invalid" alt="">'], '']);
50
- assert.deepStrictEqual(inspect(parser('![]{./a}')), [['<img class="media invalid" data-src="./a" alt="">'], '']);
51
- assert.deepStrictEqual(inspect(parser('![]{../a}')), [['<img class="media invalid" data-src="../a" alt="">'], '']);
52
- assert.deepStrictEqual(inspect(parser(' ![]{a}')), undefined);
55
+ assert.deepStrictEqual(inspect(parser('![]{.}')), [['<img class="media invalid" data-src="." alt="">'], '']);
56
+ assert.deepStrictEqual(inspect(parser('![]{..}')), [['<img class="media invalid" data-src=".." alt="">'], '']);
57
+ assert.deepStrictEqual(inspect(parser('![]{../}')), [['<img class="media invalid" data-src="../" alt="">'], '']);
58
+ assert.deepStrictEqual(inspect(parser('![]{/../b}')), [['<img class="media invalid" data-src="/../b" alt="">'], '']);
59
+ assert.deepStrictEqual(inspect(parser(' ![]{b}')), undefined);
53
60
  assert.deepStrictEqual(inspect(parser('[]{/}')), undefined);
54
61
  });
55
62
 
@@ -62,6 +69,8 @@ describe('Unit: parser/inline/media', () => {
62
69
  assert.deepStrictEqual(inspect(parser('![]{\\}')), [['<a href="\\" target="_blank"><img class="media" data-src="\\" alt=""></a>'], '']);
63
70
  assert.deepStrictEqual(inspect(parser('![]{\\ }')), [['<a href="\\" target="_blank"><img class="media" data-src="\\" alt=""></a>'], '']);
64
71
  assert.deepStrictEqual(inspect(parser('![]{\\b}')), [['<a href="\\b" target="_blank"><img class="media" data-src="\\b" alt=""></a>'], '']);
72
+ assert.deepStrictEqual(inspect(parser('![]{?/../}')), [[`<a href="?/../" target="_blank"><img class="media" data-src="?/../" alt=""></a>`], '']);
73
+ assert.deepStrictEqual(inspect(parser('![]{#/../}')), [[`<a href="#/../" target="_blank"><img class="media" data-src="#/../" alt=""></a>`], '']);
65
74
  assert.deepStrictEqual(inspect(parser('![]{^/b}')), [[`<a href="/b" target="_blank"><img class="media" data-src="/b" alt=""></a>`], '']);
66
75
  assert.deepStrictEqual(inspect(parser('![ a]{b}')), [['<a href="b" target="_blank"><img class="media" data-src="b" alt="a"></a>'], '']);
67
76
  assert.deepStrictEqual(inspect(parser('![ a ]{b}')), [['<a href="b" target="_blank"><img class="media" data-src="b" alt="a"></a>'], '']);
package/src/parser/inline/media.ts CHANGED
@@ -68,12 +68,12 @@ const option: MediaParser.ParameterParser.OptionParser = union([
68
68
  function sanitize(uri: ReadonlyURL, target: HTMLElement): boolean {
69
69
  assert(target.tagName === 'IMG');
70
70
  assert(!target.matches('.invalid'));
71
- if (/^\.\.?\//.test(uri.source)) {
71
+ if (/\/\.\.?(?:\/|$)/.test('/' + uri.source.slice(0, uri.source.search(/[?#]|$/)))) {
72
72
  define(target, {
73
73
  class: void target.classList.add('invalid'),
74
74
  'data-invalid-syntax': 'media',
75
75
  'data-invalid-type': 'argument',
76
- 'data-invalid-description': 'Relative paths cannot be used with media syntax; Use subresource paths instead.',
76
+ 'data-invalid-description': 'Dot-segments cannot be used in media paths; use subresource paths instead.',
77
77
  });
78
78
  return false;
79
79
  }